This is a problem, indeed. I've opened
https://issues.apache.org/jira/browse/SOLR-14491 to address this.
On Mon, Feb 3, 2020 at 11:08 PM mosheB <moshe...@mail.com> wrote:
> We are using Solr's kerberos authentication plugin and we are trying to
> implement field-level filtering based on the authenticated user and
> DocTransformer class:
>
> public class FieldAclTransformerFactory extends TransformerFactory {
> @Override
> public DocTransformer create(String field, SolrParams params,
> SolrQueryRequest req) {
> String user = req.getUserPrincipal().getName();
> return new FieldAclTransformer(user);
> }
> }
> //****************************************************
> public class FieldAclTransformer extends DocTransformer {
> String user;
> public FieldAclTransformer(String user) {
> this.user = user;
> }
>
> @Override
> public void transform(SolrDocument doc, int docid, float score) {
> //filter fields according to applicative logic, based on
> the authenticated
> user.
> }
> }
>
> For simplicity, we do not use authorization plugin (here is our complete
> security.json file):
> {
> "authentication":{
> "class": "org.apache.solr.security.KerberosPlugin"
> }
> }
>
> During develop phase plugin was tested against collection with single shard
> and everything worked as expected (Solr 8.3.1).
> After moving to production, plugin failed. During debug we saw that the
> reason is that SOME shards were getting incorrect user from
> /req.getUserPrincipal().getName()/: instead of the ORIGINAL user, Solr's
> SPN
> is returned.
> Our best guess is that failing requests are the distributed requests (the
> requests the are routed from the node that received the original request),
> and indeed, if we add `/distrib=false/` to our request plugin wasnt
> failing.
>
> So, back to the question... is this a bug in solr, or is that just not way
> we suppose to get the authenticated user?
> Thanks.
>
>
>
> --
> Sent from: https://lucene.472066.n3.nabble.com/Solr-User-f472068.html
>
